Home / Industry

What WHOIS History Reveals about 3,800+ Verified Phishing Hosts

The ability to retrieve historical WHOIS information can be essential for the cybersecurity community, particularly when it comes to threat hunting and cybercrime investigation. This investigative capability is highlighted in our latest downloadable white paper “Digging Up Zombie Domains: What WHOIS History Reveals about 3,800+ Verified Phishing Hosts” where we analyzed thousands of verified phishing hosts and their historical WHOIS records.

The research conducted in this paper led to various findings, including the below ones:

  • Available domains may have a malicious WHOIS history. Just because a domain is available for registration doesn’t mean that it has never been used.
  • Phishing actors can use both newly registered domains (NRDs) and older domains with deep WHOIS history, although our data revealed more of the latter.
  • WHOIS history can bring to light otherwise hidden breadcrumbs that can be used for further investigation.
  • All TLD registries and registrars are prone to phishing and other forms of domain abuse.

This post elaborates on those main findings and highlights some of the identified trends regarding the ownership history of phishing domains.

Most Phishing Domains Have Deep WHOIS History

Recent indicators of compromise (IoCs), such as those connected to the SolarWinds attack, tell us that threat actors can evade common NRD detection by using older domain names. The WHOIS history analysis of almost 4,000 domains connected to verified phishing URLs revealed a similar trend.

More precisely, about 32% were less than a year old at the time of PhishTank reporting, 24% were 1—5 years old, 14% were 6—10 years old, 7% were 11—15 years old, and 6% were more than 15 years old. In total, over 50% of the domains were more than a year old, with an average of 11 historical WHOIS records each.

Available Domains May Have a Malicious WHOIS History

The white paper revealed that 46% of the domains in our dataset were available for registration as of 17 November 2021. On the other hand, 54% were unavailable. That means their registrants never dropped them, or they were re-registered at some point between June 2020 and November 2021.

Still, the fact that almost half of the malicious domains went through the normal domain expiry cycle indicates that they could be registered again, either for legitimate or malicious purposes. Below are a few examples of verified phishing domains targeting PayPal and Steam that are available for registration (as of 17 November 2021).

PayPalSteam
paypal-updateverify[.]com
paypal-ref236186301836[.]com
paypalcompany[.]ml
paypalcustomersinfo[.]com
banned-paypal[.]com
steamflor[.]gq
steamhatch[.]tk
steamgall[.]ml
steammea[.]cf
steamcommuntly[.]net[.]ru

A possible reason behind the presence of these zombie domains can be the lack of a standard way to report and address malicious domains across registries and registrars.

Following the Breadcrumbs

Of the 1,421 unique registrant email addresses used in the initial domain registration, 822 were unredacted. While some could be aliases or temporary email addresses, historic reverse WHOIS still yielded 5,151 unique domains.

At this point, we went beyond the white paper’s initial findings and checked for maliciousness among the related domains. We found 70 domains flagged as dangerous by malware engines, including the following:

  • btcfxtrades24[.]com
  • find-apple-apple[.]com
  • getsupportnowprogram[.]com
  • icloudnt[.]cn
  • icloudrv[.]cn
  • icloudto[.]cn
  • mybilling-cloud2[.]com
  • mycloud2-billing[.]com
  • mycloud-id2[.]com
  • paypal-inloggen[.]com

Interestingly, 18 of the malicious domains’ current registrant email addresses are also among the 822 email addresses in our initial dataset.

This additional finding suggests that some of the threat actors involved in the phishing activities verified last June 2020 may still be active. They left breadcrumbs through WHOIS history, enabling us to track some of their footprints.

If you are a threat researcher or cybersecurity professional, please contact us for collaboration or access to the historical WHOIS records of the phishing domains in this study.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign